Pssst...Ferdy is the creator of JungleDragon, an awesome wildlife community. Visit JungleDragon

Article: vsftpd on Suse Linux pro »

FERDY CHRISTANT - AUG 23, 2005 (05:49:57 PM)

This week my holiday started, for 3 weeks I will not have to work. Next week I will have my actual holiday in Ireland with 3 friends, the other two weeks I'll mostly spend relaxing and catching up with things.

Today's follow-up activity is on setting up a vsftpd (Very Secure FTP Daemon) server on my new Suse installation. The Suse website claims this is a 5 minute job, because the package comes installed with Suse 9.3. All I was supposed to do is edit one config file.

Not for me. In the end I spend an entire day getting it to work exactly the way I want it to. Partly because I'm a Linux n00b, partly because the specifics of setting up my installation were not in the basic instructions from Novell. After my 19th nervous breakdown, I have what I want. Looking back at the process, it is still not intuitive to me. That's why I'll list my steps in this mini article, so I can remember it next time I have to do this. Maybe it is of use to you as well.

Goal

vsftpd promises security and performance, and is well recommended by the Linux community. Not wishing to argue with that, I decided this would be the package I need. The setup I want is simple:

The FTP server must be accessible from both my Linux and Windows machine

Anonymous users should not have access at all

One or more users get full access to the FTP root directory, these users will be managed using local Linux accounts

This may seem like a very straight-forward installation, but it's not. vsftpd has a number of example configurations, located in the usr/share/doc/packages/vsftpd/example directory, but my setup is not listed in there.

Installation

vsftpd runs on any Linux kernel, yet the installation instructions may differ per distribution. For Suse, I simply opened Yast, choose the "Add software option", and selected the vsftpd package to install. Next, I had to insert CD 4 and go ahead with the installation. Look up the instructions for your distribution. The rest of this article should work similar irrespective of your distribution.

Security

I wanted to create a separate user for ftp administration access, so I did. This user will have full access to it's own home directory, which will be the shared FTP root directory. Log in as root user, and execute the following commands in the console:

This is the most important step. It consists of creating a few configuration files. The most important file is vsftpd.conf, which you should create in the /etc directory. Below is my listing of this file, included with comments:

#disallow anonymous ftp access
anonymous_enable=NO

# allow local users to log in
local_enable=YES

# allow FTP write commands
write_enable=YES

# umask for local users, (022 is used by most other ftpd's)
local_umask=022

# login banner string
ftpd_banner=Welcome to the s3maphor3 FTP service

# enable/specifiy list of local users to chroot() to their home directory.
# if chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

# authentication service
pam_service_name=vsftpd

# disable user list
userlist_enable=NO

# enable for standalone mode
listen=YES

We have specified to "chroot" users. This means that authenticated FTP users will be directed to the home dir specified in the user account. Since we have this set this up for the ftpadmin account, this is what we want. The list of users to chroot is maintained in a file called vsftp.chroot_list in the /etc directory. Mine looks like this:

ftpadmin

Finally, a third file is needed to complete the configuration. We want the FTP server to start when the system is started, and to be stopped when the system is shutdown. To realize this, we need to create a script file named vsftpd in the /etc/init.d diectory:

Before trying to access the FTP server from a remote machine, it is wise to do a local test, to see if your configuration is working without the worries of a firewall. First make sure the vsftpd service is started. It should run automatically when you have rebooted, but you can also kick it manually. Since I run vsftp in stand-alone mode (outside of the xinet network service), the command to start it would be:

/usr/sbin/vsftpd &

The command to stop it is:

killall vsftpd

Now that the service is started, let's do a local test. Here's my successfull FTP session, based on the configuration above:

If anything goes wrong while starting the service or doing the local test, remember the error number and do a google :)

Firewall settings

Many Linux distributions by default have their firewall enabled. This is a good thing. I found out that Suse does not allow FTP traffic from a remote machine. The way to configure it to allow FTP traffic may differ per distribution. I have used the Yast control panel, security section, firewall, advanced dialog and added port 21 (FTP control) and port 20 (FTP data) to the TCP ports.

Remote test

The last step in the process is testing remote FTP access. For this purpose I have simply used a command prompt as FTP client on my Windows machine. Here's my successfull remote FTP session output:

SEP 3, 18:42:23

SEP 4, 13:23:35

» I would like if possible a tutorial also for adding anonymous users and admin user, both having the same path, only the admin having the privileges to erase/write new files, whilst anonymous only having the privilege to read. This would be necessary for a bigger LAN. And also a how-to about restricting acces to only specific classes of ip's, for example only to xxx.xxx.xxx.0/24 and yyy.yyy.yyy.0/25 and maybe limiting speed for certains ip's «

SEP 26, 13:54:41

JAN 30, 05:33:49 PM

» I'm using Suse 10, and I have vsFTPd working great... but clients will not be able to connect when I enable the firewall. I opened port 21 and still doesn't work. If I disable the firewall, I can connect with clients no problem. Any ideas anyone?? «

MAR 9, 08:18:52 AM

"I would like if possible a tutorial also for adding anonymous users and admin user, both having the same path, only the admin having the privileges to erase/write new files, whilst anonymous only having the privilege to read"

Has anybody got this working yet,I have prevented deletion of files from all directories,but I want an admin/root user that can delete these files when they login

APR 23, 11:43:19 PM

MAY 3, 03:51:56 AM

» i have gone through and tried everything you said. then went trough and tried to correct everything that everyone posted. my vsftpd still doesnt work. i get the 500 OOPS: missing value in config file for: error......i have gone through and checked everything. any other ideas? please email «

MAY 26, 04:25:00 PM

» ferdy,

thank you very much for this tutorial. I spent all day yesterday following a different setup tut, only to come to dead stop when the setup didnt work. Your setup and instructions is exactly what i needed, and it worked without a hitch. Thanks Again !! «

AUG 30, 10:15:42

SEP 30, 11:21:12 PM

» those of you having the stupid none informative

# 500 OOPS: missing value in config file for:

Error, what you need to do, is clear all comments of the vsftpd.conf file and only use your settings, this worked for me. this could be a parse error with this version, who knows.. but for reference here is my current settings that work.

OCT 2, 04:23:09 AM

» just one thing...the ftpadmin user is added...so if ur ssh daemon is running...one can login by ftpadmin acct if he knows the passwd...and he got the permissions to browse any folder except /root ....so maybe disable ssh login for ftpadmin....over and above very good article...i shud say excellent ... «

OCT 2, 04:24:12 AM

» just one thing...the ftpadmin user is added...so if ur ssh daemon is running...one can login by ftpadmin acct if he knows the passwd...and he got the permissions to browse any folder except /root ....so maybe disable ssh login for ftpadmin....over and above very good article...i shud say excellent ... «

NOV 14, 11:49:35

DEC 5, 10:53:55 AM

» hahahaha, the VSFTPD is not secure at all. using and FTP client you need to key in user name and password to access the file. BUT you can access the files without keying in user name and password by using a web browser. «

DEC 6, 07:39:40 AM

DEC 31, 01:33:12 AM

» Man that worked like a charm. I had some of the problems people had above but if you do it just like it says you wont. I had some problems with the chroot command giving the dir permissions but I solved that. Jamal has not disabled anonymouse logins. You right with that on it is not very secure. «

SEP 29, 09:10:03 AM

OCT 11, 14:06:11

» Hey, great tutorial but i need more help with this. I am accessing the ftp server from a remote pc opening files(.doc,.xls,.txt) with WExplorer directly from there. The problem is i can not save/overight files after editing. Can someone help me?

MAR 24, 2008 - 01:02:33 PM

» Sorry to say,but JAMAL is right:after setting up vsftpd using this tutorial,everthing works OK,except one thing:if I try to login local using Firefox ftp://localhost first time it will prompt me for user/password ,BUT closing Firefox and opening again ,it will not prompt you for user/pass anymore until you restart the vsftpd...also same thing happens from www side,not only local... Just try for yourself using Firefox or IE...

JUL 14, 2008 - 09:21:35 PM

» Hi, As a total newbie, I have set up this ftp configuration on SUSE 10.0 as it is perfect for what I need, but i get a 530 This FTP server is anonymous only when I log on. I have the vsftpd.conf in etc as copied from this site. Any ideas would be awesome, as I would love to start using my first linux server!! That's for the tutorial! «